[Xapian-tickets] [Xapian] #424: Magic filter limits are a bad idea

Xapian nobody at xapian.org
Fri Jan 8 03:17:10 GMT 2010 

#424: Magic filter limits are a bad idea
--------------------+-------------------------------------------------------
 Reporter:  chrisc  |       Owner:  olly
     Type:  defect  |      Status:  new 
 Priority:  normal  |   Milestone:      
Component:  Omega   |     Version:      
 Severity:  normal  |    Keywords:      
Blockedby:          |    Platform:  All 
 Blocking:          |  
--------------------+-------------------------------------------------------
Changes (by olly):

  * severity:  major => normal


Comment:

 These aren't meant to be "magic" limits, just a last ditch catch for a
 filter program which has gone into an infinite loop, or a finite loop with
 insane memory consumption.  If they are too tight for a particular genuine
 situation, they should be relaxed.

 I can see you might find them philosophically problematic, but they were
 added in response to actual instances of filter programs misbehaving in
 these ways, which prevents indexing the content.  So these limits address
 a potential denial of service by someone able to supply content to the
 indexer, which is a common scenario.  I don't see an alternative way to
 address this issue, but I'm happy to hear suggestions.

 I'm not totally averse to making them configurable (though I dubious if
 there isn't a practical benefit), but a default of "no protection" is a
 regression on this denial of service issue.

 Also, omega.conf is (at least currently) configuration for the omega CGI
 only.  If we're going to use
 it from the indexers, then the current search behaviour (environment var
 then "same directory as the omega CGI" then sysconfdir) needs considering
 as it means that the CGI and indexers can find
 a different configuration file, which is likely to catch some people out.

 Your patch is missing any documentation of the new options.  Also it would
 be better to use the standard functions for parsing integers.

-- 
Ticket URL: <http://trac.xapian.org/ticket/424#comment:1>
Xapian <http://xapian.org/>
Xapian

More information about the Xapian-tickets mailing list